lack of builtin range checking of id fields
|Reported by:||anonymous||Owned by:||None|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
The lack of builtin range checking for id fields is a vulnerability.
/service/docserver/papers/3/ --> produces a document /service/docserver/papers/6578/ --> produces 404 page /service/docserver/papers/9999999999999999999/ --> throws OverflowError
Traceback is at http://paste.pocoo.org/show/218865/
I think the last case should throw DoesNotExist instead of causing server error.
In the case at hand I used generic views and sqlite3 DB backend.
Of course, one can check this himself all over the places, however that would be against the DRY principle.
Not to mention, it would be complicated when using generic views.
Change History (4)
comment:1 Changed 6 years ago by
|Patch needs improvement:||unset|
comment:3 follow-up: 4 Changed 6 years ago by
|Component:||Database layer (models, ORM) → Documentation|
|Owner:||changed from nobody to None|